Virtualization and Linux--A Primer (Part 2) - page 4

Xen

December 14, 2006

By
Carla Schroder

Don't laugh, these still have a place in your sandboxing schemes. Every Linux (and BSD and Unix) have chroots (change root) built-in, just waiting to be put to work. Chroots isolate applications from the root filesystem and from each other, so you can do dangerous things without endangering the whole system. Like run several Internet-facing servers on the same box, or test and develop software. BIND, Apache, and Postfix are examples of servers that are commonly run in chroot jails for added security, even when they're not sharing the box with other services.

Chroots are also used to run 32-bit applications on 64-bit systems when 64-bit versions don't exist. The most famous example is the Flash browser plugin, and various other closed-source plugins and multimedia codecs.

Chroots are not perfect protection, and it seems there is always one more important file that you forgot to put inside the jail. But there is no performance hit like there is with User-Mode Linux, and they're easy to set up. They're great for smaller networks where you have just a few servers to ride herd on, and don't feel like getting sucked into the virtualization vortex.